AWS CloudTrail Lake
The AWS CloudTrail Lake integration allows you to forward Snyk audit logs to AWS CloudTrail Lake, which lets you run SQL-based queries on your logs and retain them for up to seven (7) years.
In order to enable the AWS CloudTrail Lake integration you must do the following:
Add a Snyk integration in AWS CloudTrail Lake.
Configure the integration in Snyk.
Add a Snyk integration in AWS CloudTrail Lake
Follow the setup instructions in the AWS CloudTrail Lake documentation, choosing Snyk as the integration type.
During the setup, supply an External ID for the integration. Set this field to your Snyk Organization ID, which you can find by going to the Snyk settings page.
Copy your Snyk Organization ID to the External ID field in the AWS CloudTrail Lake integration setup and continue following the instructions in the AWS CloudTrail Lake documentation.
When you are done creating the Snyk integration in AWS CloudTrail Lake, copy the Channel ARN that is displayed on the integration page. You will need this for the next step.
Configure the integration in Snyk
After creating the integration in AWS CloudTrail Lake, configure the integration on the Snyk side so that Snyk can start sending logs.
To do this, go to the Snyk integrations page, navigate to Cloud events, and click the AWS CloudTrail Lake tile:
Enter a name for this integration, your AWS Account ID, and the Channel ARN from the previous step.
Once this step is complete, Snyk will begin forwarding audit logs to AWS CloudTrail Lake immediately. You can click View settings or go to the AWS CloudTrail Lake settings page to view and manage the integration.
Remove an AWS CloudTrail Lake integration
Go to the AWS CloudTrail Lake settings page and select the name of the integration you want to remove.
Select Remove integration and confirm that you want to remove the integration.
This action removes Snyk’s configuration for this integration, which will prevent any further audit logs from being sent to AWS CloudTrail Lake. This does not remove the Snyk integration in AWS CloudTrail Lake. To do this, go to AWS CloudTrail Lake and delete the Snyk integration from the Integration list.
Query Snyk audit logs in AWS CloudTrail Lake
Once your Snyk audit logs are being forwarded to AWS CloudTrail Lake, you can access them with the AWS CloudTrail Lake Query functionality. You can use this example query to get started:\
select
eventtime,
eventdata.useridentity,
eventdata.eventname,
eventdata.additionaleventdata
from <EVENT-DATA-STORE-ID>
order by eventTime desc
limit 10Replace <EVENT-DATA-STORE-ID> with the ID of the event data store that is associated with the Snyk integration in AWS CloudTrail Lake.
Understanding the log data
There are three (3) key fields to note when using the Snyk audit log data in AWS CloudTrail Lake.
eventdata.useridentity
The event useridentity contains a field called principalid, which represents the Snyk user ID for the user associated with the audit event. You can use Snyk API v1 Get organization level audit logs to match the Snyk user ID with a user in your organization.
eventdata.eventname
This represents the type of audit event (for example, api.access or org.cloud_config.settings.edit) and can be used to group or filter events.
eventdata.additionaleventdata
This field contains a raw JSON payload with more detailed information about the audit event. The content of the payload depends on the type of the event. For example, an API access event will include the accessed URL, while a settings change event will include before and after values for the changed setting.
Last updated
Was this helpful?